Magnet Forensics June 2022 CTF - Linux

This CTF was hosted by Magnet Forensics and was held on June 15, 2022, from 3 PM - 6 PM EST. Two datasets were provided - a Linux box and an iOS 15 FFS extract.

Tools I Used: Magnet AXIOM Examine v6.2.0.31740 and Autopsy v4.19.3

LINUX QUESTIONS:

I use print statements for my logging: What is the name of the utility/library the user was looking at exploits for?  Log4j

This question took much longer than I’d like to admit. I have no experience with Log4j so didn’t know what it was exactly. Apache Log4j is a Java-based logging utility. The answer was found in AXIOM > Web Related > Firefox Web History.

Or: by using Autopsy to traverse the filesystem - home\rafael\snap\firefox\common\.mozilla\firefox\mcrcm1xn.default\places.sqlite in the table moz_places 


 

Mischievous Lemur: What is the version ID number of the operating system on the machine? Format: XX.XX  21.10

The operating system version can be found in AXIOM > OPERATING SYSTEM > Operating System Information – Linux


Or: by using Autopsy to traverse the filesystem to etc\lsb-release

$whoami: What is the hostname of the computer? rshell-lenovo

Users with sudo privileges can change a hostname by invoking the hostenamectl command. Hostnames are used to make it easier to locate and distinguish devices on a network. You can find the hostname in AXIOM by going to:

AXIOM > OPERATING SYSTEM > Operating System Information - Linux

Or: by using Autopsy to traverse the filesystem to etc/hostname


A little blue birdie told me: What is one anime that the user likes? Attack on Titan

I figured the little blue birdie was referring to Mozilla Thunderbird, a free and open-source cross-platform email client. However, I had no idea what I was looking for, as I am unfamiliar with anime. So I started browsing e-mails in Autopsy under Data artifacts > E-mail Messages > Default. There was an e-mail that contained Twitter highlights. I googled one of the highlights, “Attack on Titan,” and it appeared to be an anime, so I figured that was the answer. 


Attack on Titan is a Japanese manga series written and illustrated by Hajime Isayama.

Into the Matrix we go: What is the UUID for the attackers Minecraft account? 8b0dec19-b463-477e-9548-eef20c861492

This one I went straight to google for after finding the account name. Gamers seem to keep track of all sorts of stats. I was unsure if the UUID is useful in Minecraft, but apparently, some websites will provide you with the UUID if you have the account name. I also later found this hint in the web history: "get Minecraft UUID of user." So if we head to https://mcuuid.net and input the username n30forever, we get the UUID.

 There is also a screenshot located in the user folder for Rafael named RAOxspYx.jpeg. This has the UUID listed in the screenshot of the CMD. However, this is quite blurry; I found it easier to get it through the website I used above.

A third option is home/rafael/marshalsec/poc/GhTvNIel.jpeg – a bit clearer than the screenshot above.


Be our guest: What was the user's first password for the guest wifi? 093483

There were e-mails in the other Magnet CTF that showed information about the Guest Wi-Fi Connection, so I decided to head over to the e-mails to check there first. Using Autopsy, I headed to Data Artifacts > E-mail Messages > Default and sorted by name. I found four e-mails from noreply@champlain.edu welcoming Rafael to the Wi-Fi network, Champlain Guest. I clicked on the oldest one to find the first password provided.


Today’s YouTube video is sponsored by…: What VPN client did the user install and use on the machine? zerotier

Installing software on a computer running Linux is done by using the terminal. Therefore, I figured I would find this answer in the bash history file. Using Autopsy, head to Data Sources/LenovoFinal.E01/vol5/home/rafael/.bash_history. Here we can see that the user installed zerotier directly from the zerotier website using the curl command. Curl, short for Client URL, is a command-line tool that transfers data to or from a server. The -s option will turn on silent mode, which will mute curl. Muting curl will not show a progress meter or error messages.

If a picture is worth a thousand words how many is a video worth?: The user watched a video that premiered on Dec 11th 2021. How many views did it have when they watched it on February 9th?  265,355

At first, I thought there might be a site that keeps track of view history. However, I remember seeing screenshots, and the “picture is worth a thousand words” led me to believe there might be something on one of those screenshots. There are five screenshots in Rafael’s Pictures folder, home/rafael/Pictures. In three screenshots, you can see Firefox open on a YouTube page. The YouTube video is titled “CVE-2021-44228 – Log4j – MINECRAFT VULNERABLE!” released on December 11, 2021, by John Hammond. The February 9 date can be found in the timestamps and at the top of the desktop taskbar.

 
I’m hungry for videos: What is the new channel name for the YouTuber who’s cookbook is shown on the device?**** Babish Culinary Universe

I stumbled across this answer while browsing through the photos for another question. This photo can be located at: home/rafael/marshalsec/poc/aaGkBJdu.jpeg 

 

If we google “Binging with Babish,” we find the YouTube channel on page 1 of the results. Click on the YouTube link, and it will take you to “Babish Culinary Universe.”



From the Babish Culinary Universe Channel: "Follow along with my torso every week as I recreate the iconic and obscure foods from your favorite movies and TV shows, all in dazzling 4K. We'll make some delicious dishes, have a little fun, and if you're not careful, you might just learn a thing or two".

Never gonna give... up on this question: What is the upload date of the second YouTube video on the channel where the user downloaded a YouTube video from? (Format MM/DD/YYYY) 10/25/2009

The song Never Gonna Give you Up by Rick Astley was found in Rafael’s Downloads folder. So we can go to the web history to see what YouTube Channel he went to in order to find the second upload. Rafael was on Rick Astley’s official YouTube channel. If you click on Videos and scroll to the bottom, you will find the second uploaded video, “Whenever You Need Somebody.”


Buzzy Bees: What is the SHA-1 hash of the "latest" release of Minecraft according to the system?

I was overthinking this one at first because of the question title "Buzzy Bees." Looking up the Buzzy Bees Minecraft update, it appears that the versions included in this update are 1.14 and 1.15. The question asks for the latest release of Minecraft, so I just focused on the most recent release that was on the machine. Using Autopsy, we can head to home/rafael/.minecraft/versions/1.18.1. This version is the latest release according to the system, and the hash can be found in the 1.18.1.json file. I had to try a few SHA-1 hashes before getting the correct one. 

It's raining ocelots and wolves: According to Windows, what was the temperature in Fahrenheit on February 11th, 2022 at 6:30 PM? (Format: XXF | Example: 14F) 26F

Located in the pictures directory is a screenshot of a windows machine. The weather, date and time can be found on the taskbar. This screenshot was located in the same folder as the cookbook challenge question. home/rafael/marshalsec/poc/aaGkBJdu.jpeg

The RCE is base(64)d on what?: What were the three flags and their values that were passed to powercat? The answer must be provided the same format as the command was entered. (For example if the command was "powercat -D Y -l a -n" the answer would be "-D Y -l a -n") powercat -c -p -e

Powercat is used to send and serve shells. To get the answer to this question, I searched for “powercat” in Autopsy. The answer can be found in the swapfile.

 

💥🔎If this has inspired you to practice your forensic skills, Magnet Forensics and many other authors have uploaded datasets on the Computer Forensic Reference DataSet Portal (CFReDS).